Weird Things Are Afoot In The Honeypot

Here's something you don't see every day. The logs from my SSH honeypot show
someone brute-forcing the password for root and then executing:

ls /data/data/com.android.providers.telephony/databases

This is a strange directory to look for because it's where Android devices
store the SQLite databases for SMS messages and contacts. Why would an attacker
except an SSH server on the internet to be an Android device? Are there IoT
devices based on Android that run SSH servers and also store contacts? If
someone knows, please tell me!